Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript code that interacts improperly with a CollectGarbage function call on a CMarkup object allocated by the CMarkup::CreateInitialMarkup function.
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-035
http://www.kb.cert.org/vuls/id/239151